This method retrieves the list of possible roles that user can select
in the item permissions form. Admins can select any role so the
results are paginated in order to save the bandwidth and to speed
things up.
Standard users can select their own private role, any of their
sharing roles and any public role (not private and not sharing).

Return a sorted list of legitimate roles that can be associated with a permission on
item where item is a Library or a Dataset. The cntrller param is the controller from
which the request is sent. We cannot use trans.user_is_admin because the controller is
what is important since admin users do not necessarily have permission to do things
on items outside of the admin view.

If cntrller is from the admin side ( e.g., library_admin ):

if item is public, all roles, including private roles, are legitimate.

if item is restricted, legitimate roles are derived from the users and groups associated
with each role that is associated with the access permission ( i.e., DATASET_MANAGE_PERMISSIONS or
LIBRARY_MANAGE ) on item. Legitimate roles will include private roles.

If cntrller is not from the admin side ( e.g., root, library ):

if item is public, all non-private roles, except for the current user’s private role,
are legitimate.

if item is restricted, legitimate roles are derived from the users and groups associated
with each role that is associated with the access permission on item. Private roles, except
for the current user’s private role, will be excluded.

Method for checking a permission for the current user ( based on roles ) to perform a
specific action on an item, which must be one of:
Dataset, Library, LibraryFolder, LibraryDataset, LibraryDatasetDatasetAssociation

This should be the equivalent of allow_action defined on multiple items.
It is meant to specifically replace allow_action for multiple
LibraryDatasets, but it could be reproduced or modified for
allow_action’s permitted classes - Dataset, Library, LibraryFolder, and
LDDAs.

For a given list of library items (e.g., Datasets), return a map of the
datasets’ ids to whether they can have permission to use that action
(e.g., “access” or “modify”) on the dataset. The libitems input is
expected to be a simple list of library items, such as Datasets or
LibraryDatasets.
NB: This is currently only usable for Datasets; it was intended to
be used for any library item.

A dataset is considered public if there are no “access” actions
associated with it. Any other actions ( ‘manage permissions’,
‘edit metadata’ ) are irrelevant. Accessing dataset.actions
will cause a query to be emitted.

This method is historical (it is not currently used), but may be useful again at some
point. It returns a dictionary whose keys are library objects and whose values are a
comma-separated string of folder ids. This method works with the show_library_item()
method below, and it returns libraries for which the received user has permission to
perform the received actions. Here is an example call to this method to return all
libraries for which the received user has LIBRARY_ADD permission:

This method must be sent an instance of Library() or LibraryFolder(). Recursive execution produces a
comma-separated string of folder ids whose folders do NOT meet the criteria for showing. Along with
the string, True is returned if the current user has permission to perform any 1 of actions_to_check
on library_item. Otherwise, cycle through all sub-folders in library_item until one is found that meets
this criteria, if it exists. This method does not necessarily scan the entire library as it returns
when it finds the first library_item that allows user to perform any one action in actions_to_check.

This method must be sent an instance of Library(), all the folders of which are scanned to determine if
user is allowed to perform any action in actions_to_check. The param hidden_folder_ids, if passed, should
contain a list of folder IDs which was generated when the library was previously scanned
using the same actions_to_check. A list of showable folders is generated. This method scans the entire library.

This method must always be sent an instance of LibraryFolder(). Recursive execution produces a
comma-separated string of folder ids whose folders do NOT meet the criteria for showing. Along
with the string, True is returned if the current user has permission to access folder. Otherwise,
cycle through all sub-folders in folder until one is found that meets this criteria, if it exists.
This method does not necessarily scan the entire library as it returns when it finds the first
folder that is accessible to user.

A simple security agent which allows access to datasets based on host.
This exists so that externals sites such as UCSC can gain access to
datasets which have permissions which would normally prevent such access.

Returns a binary digest for the PBKDF2 hash algorithm of data
with the given salt. It iterates iterations time and produces a
key of keylen bytes. By default SHA-1 is used as hash function,
a different hashlib hashfunc can be provided.